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Abstract—Electronic voting (e-voting) presents a convenient 
and cost-effective alternative to current paper ballot-based voting. 
It provides many benefits such as increased voter turnout and 
accuracy in the decision-making process. While presenting many 
improvements, e-voting still faces serious security challenges that 
hinder its adoption, especially when designed to be run over 
mobile devices. In this paper, we propose a novel remote e- 
voting model for large-scale elections by proposing the partic- 
ipation of two conflicting parties to ensure election integrity and 
accountability. Our scheme can be implemented in IoT devices 
such as smartphones, which we believe can significantly increase 
voter turnout of the election process. Our proposed work is 
secure and preserves voter privacy through secure multi-party 
computations performed by parties of differing allegiances. It 
also leverages a blockchain running smart contracts as a publicly 
accessible and tamper-resistant bulletin board to permanently 
store votes and prevent double-voting. In our security and privacy 
analysis, we show that our proposed scheme is secure against 
potential security threats and provides voter anonymity. We 
show orthogonality between universal verifiability and coercion- 
resistance in our proposed scheme, allowing an election to favor 
one over the other. Our performance analysis and smartphone 
simulation results show that the proposed scheme is practical for 
large-scale elections. 


Index Terms—Remote e-voting, voter anonymity, universal 
verifiability, coercion-resistant, unlinkability, blockchain 


I. INTRODUCTION 


More than half the world’s countries are classified as 
democratic nations, employing governments that enforce and 
secure their democracies. While these governments may vary 
in structure, they all grant eligible members the ability to 
exercise their power by voting. However, guaranteeing that 
a democratic election is free and fair still remains a challenge 
for most governments. Let alone, proving the freeness and 
fairness of the election to everyone, especially to the losing 
candidates, is an even bigger challenge. 

A free election should entail multiple imperative fea- 
tures [1]. Before voting, proper voter registration is required 
to grant voting rights only to eligible voters. Voters should 
be able to remain anonymous, maintaining an election free of 
ballots that could be linked to their voters. Furthermore, to en- 
sure that votes are tallied properly, verifiability should also be 
integrated to prove to everyone the legitimacy of the election 
results and avoid controversy. Concurrently, for an election to 
be fair, all eligible voters should have equal registration and 
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ballot casting availability and accessibility regardless of any 
limitations such as geographical location or economic status. 
This means that voters that are unable to physically access 
their poll-sites, for example, absent personnel serving in the 
military, should be able to cast their ballots remotely while 
maintaining the equivalent requirements of a free election. 
A fair election should also maintain the secrecy of the cast 
ballots throughout the voting phase to prevent last-minutes 
voters from skewing the final count. 

Nowadays, the majority of democratic elections are run 
or operated using in-person isolated poll-sites with rigorous 
monitoring in an effort to uphold a free and fair election. This 
requires voters to physically cast their ballots at predetermined 
public sites. The most widely utilized casting techniques 
include ballot box elections where voters insert their paper bal- 
lots into a box, scan them using optical scanners, or vote using 
a Direct-Recording Electronic (DRE) voting machine. While 
ballot box elections may cultivate many of the aforementioned 
features, they fall short in verifiability and require significant 
trust in the election organizers and tallying authority to behave 
honestly. While incorporating computerized systems such as 
optical scanners and DREs along with cryptographic primitives 
could help reduce the human factor intervention and may 
even offer verifiability, these systems still present computer 
vulnerabilities as proven by various research [2], [3]. Various 
schemes such as [4], [5] aim to minimize such vulnerabilities 
and provided end-to-end (E2E) verifiable voting. However, the 
mandatory requirement of voting at a poll-site using either 
technique interferes with the availability and accessibility 
fairness requirements and overall voter turnout. To overcome 
this issue, some elections may permit remote voting through 
absentee/mail-in ballots allowing voters to vote at other poll- 
sites or return their ballots via mail. Yet, these method raise 
concerns that ballots may be subject to fraud/manipulation 
during the process of transmission. 

Recent research has presented several remote voting sys- 
tems [6]-[12] that rely heavily on cryptography and aim to 
achieve the major desired requirements. Unfortunately, such 
systems have not been adopted by large-scale elections since 
they cannot achieve the same level of freeness and fairness 
achieved by conventional poll-site voting or they are only 
feasible and applicable to small-scale elections. In this paper, 
we introduce a novel voting scheme that enables free and 
fair large-scale elections. Our proposed scheme leverages the 
existence of at least two parties of an election with different 
allegiances that engage in a multi-party computation along 
with the voters. We assume that it conflicts with the interest of 
these parties to collude or exchange any information during 
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the election process that may sacrifice the winning chances 
of the candidates they support. All computations can be 
performed remotely at the convenience of the parties involved. 
In addition, voters are able to cast their votes from a mobile 
device and verify whether their votes have been cast and 
counted properly. Voter verifiability is based on randomly 
generated values that even if shared with coercers willingly, 
will not provide any information on how the voters have voted. 
Furthermore, we utilize a blockchain that acts as a publicly 
accessible bulletin board that voters cast and store their votes 
to. No computations of our proposed scheme are performed 
over the blockchain which will circumvent the scalability or 
cost issues of blockchain in large-scale elections. 


The model presented in this paper is primarily based on 
the US general election. It expands significantly on [13] in 
that we show orthogonality between universal verifiability 
and coercion-resistance in our proposed scheme, allowing an 
election to favor one over the other. We also prove that it 
is computationally infeasible to link any vote to the voter 
or multiple votes cast by one voter. The main contributions 
presented in this paper can be summarized as follows: 


e We develop d-BAME, a novel distributed anonymous 
mobile electronic voting scheme for large-scale elections. 
Our proposed scheme is designed to provide several de- 
sign trade-offs for elections with different requirements. 
It builds over secure multi-party computations, allowing 
voters to cast their votes remotely using mobile devices 
such as smartphones, storing them over a blockchain 
permanently and irreversibly. 

e We conduct comprehensive security and privacy anal- 
yses of d-BAME. We provide formal proofs to prove 
that d-BAME is secure against double voting, preserves 
voter anonymity, provides coercion-resistance and ballot 
unlinkability, and prevents manipulation to the election 
results. 

e We present a performance analysis for d-BAME and com- 
pare it to two existing blockchain-based schemes [14], 
[15]. We calculate the different number of operations 
performed by each involved party in the entire voting 
process for all schemes. Our analysis shows that d- MABE 
outperforms both schemes. 

e We implement a desktop application and an iOS mobile 
application for d-BAME and the corresponding smart 
contracts which we deploy over the Ropsten Ethereum 
testnet. We follow with an empirical evaluation showing 
the feasibility of d-BAME to be run on a mobile device. 
Our results show that, even when running it under encryp- 
tion key sizes of 4096 bits, voters can cast their votes via 
mobile devices in less than a minute. 


The rest of this paper is organized as follows. In Section II, 
the related work is reviewed. In Section III, preliminaries are 
introduced that summarize key concepts used in this research. 
Next, in Section IV, the problem formulation is described, 
outlining the system model and our design goals. In Section V, 
our proposed scheme is presented in detail outlining the pro- 
posed algorithms. Following that, in Section VI we formally 
prove the security and privacy of our proposed scheme. In 


Section VII, performance analysis and evaluation of d-BAME 
are conducted and give our empirical results in Section VIII. 
Following that, we discuss design trade-offs in Section IX. 
Finally, in Section X, a conclusion is drawn to summarize the 
work done in this research. 


II. RELATED WORK 


Previous work that achieves coercion-resistance and remote 
e-voting date back to 2005 when the work by Juels et al. [6] 
was introduced and later refined resulting in Civitas [7]. 
Although proven to be secure, the security came at the 
price of tabulation which is quadratic in respect to the total 
number of ballots being submitted in an election. Shortly, 
Helios [8] was proposed as a web-based open-audit voting 
system for elections where coercion is not a serious problem. 
The system achieves privacy using mixnets [9] and was later 
improved by Demirel et al. [10] by replacing the mixnets with 
homomorphic encryption and multi-party tallying. However, 
these systems primarily focus on universal verifiability while 
intentionally not taking coercion-resistance into account. 

In contrast, Selections [11] is a system that was proposed 
in which voter authentication relies on possession of certain 
voter passwords, allowing them to generate panic passwords in 
cases of coercion. This system relies on zero-knowledge proofs 
during the vote casting phase. Other systems such as [12], use 
a linear-time scheme to remove duplicated votes which may be 
submitted by voters to avoid coercion. This system also relies 
on voters indicating which electoral roll their votes belong to 
so that tallying authorities can identify which votes should 
be included in the total count. This results in faster tallying 
during the tabulation process. However, it requires additional 
trust in the elected trustees to add dummy ballots to make the 
system coercion-resistant. 

Based on concepts from [11] and [12], a protocol was 
introduced in [16] that requires voters to specify an anonymity 
set where each voter claims to be one of the voters within the 
set. This resulted in additional voter overhead costs during the 
authentication phase. Later, Zeus [17] was proposed following 
the initial framework of Helios [8] where mixing is performed 
using external agents. Although it provides universal verifia- 
bility, the system is not coercion-resistant as it provides voters 
with receipts at the end of voting. 

DEMOS-? [18] aims to be E2E verifiable through a voter 
supporting device (VSD) and trustees. The election authority 
uses voters‘ coins to generate and prove the security of a 
common reference string (CRS). The CRS can be used by 
the voters to affix non-interactive zero-knowledge (NIZK) 
proofs to their ciphertexts and by election authority to prove 
via a NIZK the tally correctness at the end of the election. 
Later, BeleniosRF [19] was introduced to also provide stronger 
receipt-freeness using signatures on randomizable ciphertexts 
(SRC) to prevent the voters from proving how they voted. 

More recently, Blockchain-based voting schemes began 
to appear, taking advantage of its irreversible, permanent, 
and smart contract features. Smart contracts for boardroom 
small-scale voting systems [14] were implemented over the 
Ethereum blockchain using the Open Vote Network [20]. 
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The main advantages of this system are that it is com- 
pletely decentralized, provides self-tallying, and achieves E2E 
characteristics. However, the system utilizes zero-knowledge 
proofs which increases its overall computational costs. The 
majority of these cryptographic computations are implemented 
in smart contracts and executed over the blockchain, limiting 
the protocol to small-scale elections. In addition, the system is 
not coercion-resistant and can be manipulated by last-minute 
voters since they can tally the results before casting their 
votes. To circumvent this issue, the scheme implements an 
optional additional round where voters initially cast a hashed 
version of their votes as a commitment before casting their 
actual encrypted votes. In this case, although last-minute voters 
can still compute the election results before casting their 
votes, they can no longer change their selection to manipulate 
the results. However, this method requires additional smart 
contract callings and computations, imposing additional costs. 

Another small-scale election was also introduced in [21] 
that relies on expensive homomorphic encryption primitives to 
preserve voter privacy. Similarly, incorporating such resource- 
intensive cryptographic computations requires significant costs 
and limits the scheme to small-scale elections. 

Currently, there are no widely acceptable large-scale 
blockchain-based voting schemes developed in literature. Al- 
though [15] has been proposed utilizing cryptographic tech- 
niques like Paillier encryption, proof-of-knowledge, and link- 
able ring signature, deploying such a scheme is computa- 
tionally inefficient and expensive. In addition to the informal 
security analysis provided in this work, voters have to interact 
with a smart contract deployed over the blockchain to cast 
and verify their votes. This process requires the smart con- 
tract to perform expensive verification operations during both 
vote casting and tabulation phases, which may have serious 
performance issues, and security and privacy concerns. 


III. PRELIMINARIES 
A. Blockchain 


Blockchains are immutable and irreversible Distributed 
Ledger Technologies (DLTs) that allow data to be stored 
globally across all nodes of a peer-to-peer (P2P) network 
while maintaining data integrity. They are generally cate- 
gorized as public (permissionless) or private (permissioned), 
depending on the node capabilities to participate in governing 
the blockchain. Permissionless blockchains allow any node 
connected to the P2P network to participate in the consensus 
protocol while permissioned blockchains allow only a prede- 
fined set of nodes. In this work, we utilize a permissionless 
blockchain as a bulletin board where voters cast their votes 
by interacting with the election smart contracts deployed over 
the blockchain. Thus, we briefly discuss the main components 
of blockchains and refer readers to [22] for further reading. 


B. Decisional Diffie-Hellman (DDH) Assumption 


The DDH assumption is a computational hardness assump- 
tion and is defined as follows: 

Let G be a group of prime order p,g be a generator, and 
a,b,c Er Z, where €, denotes chosen at random. 


It is infeasible for the adversary to distinguish between any 
given (g, g°,g?, g%®) and (g,g9%,9°,g°), i.e., an algorithm A 
that outputs a guess c = ab, has advantage £ in solving the 
DDH problem in G if: 


|Pr[A(g, 9°, 9°, 9%”) =1]-Pr[ Alg, 9°, 9°, 9°) =1l| >e 


where the value 1 denotes true. The DDH assumption holds if 
no probabilistic polynomial time (PPT) algorithm has a non- 
negligible advantage in solving the DDH problem. 


IV. PROBLEM FORMULATION 


Large-scale elections typically involve at least two parties 
with conflicting allegiances competing to win an election. The 
challenge is to provide a complete voting process that all voters 
and running candidates can trust. It would be ideal to allow 
eligible voters to cast their votes remotely from anywhere 
while securing the integrity of the election and the safety of 
the voters. 


A. System Components 


The general model of our proposed scheme consists of a 
minimum of six entities, each with a distinct role. 

Voters: The eligible set of voters {vu EV | 1<i<n} 
that are granted the right to cast a vote in an election. This 
set is public and subject to audits to prove that only eligible 
voters can vote. 

Registrar R: The first election organizing entity, respon- 
sible for generating unique and random digital ballots to be 
shared with voters anonymously. It cannot link a digital ballot 
to its assigned voter. 

Moderator M: The second election organizing entity, re- 
sponsible for concealing the identities of voters and delivering 
the ballots to them anonymously. It cannot reveal the concealed 
digital ballots as it delivers them to the voters, hence, it cannot 
link a digital ballot to its assigned voter. 

Election candidates: The eligible set of candidates 
{cand E€ C | 1 < k < c} running in an election. 

Blockchain network: A non-trusted peer-to-peer network 
that maintains a publicly accessible blockchain and runs the 
election smart contract. The network nodes cannot link cast 
votes to voters or differentiate between valid and invalid votes. 

Tallying authority: A party that performs vote tabulation 
at the end of the casting phase. This task is performed and 
monitored publicly and therefore does not require any trust. It 
can be performed by anyone monitoring the blockchain. 


B. Security Model and Design Goals 


Our proposed scheme aims at satisfying the following 
design goals: 

Distributed trust: We assume that an election will be 
organized by a registrar R and a moderator M with conflicting 
interests. Neither R nor M is fully trusted by all voters. 
However, due to the conflicting interests between them, they 
are unlikely to collude. 

Voter eligibility: Voting is limited to eligible voters. This 
requires proper voter registration that determines and confirms 
the eligibility of voters, granting them voting rights. 
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TABLE I: Notations Summary 


Symbol | Definition 
vi it” voter, where {vj EV | 1<i<n} 
R registrar 
M moderator 
cand, candidate, where {cand, EC | 1< k <m} 
Ti, Yi v;’8 private and public keys, respectively 
Lr, Yr R’s private and public keys, respectively 
£m, Ym | M’s private and public keys, respectively 
bal; a” ballot, where B = {bal; = EG-Sign(t;) |i € Zn} 
bi it blind factor, used to conceal v;’s public key y; 
ki it? one-time key used to encrypt bal; 
ebal; it” encrypted ballot 
Qi it” ephemeral key 
ebi encrypted b; 
T vi’s ballot and vote, where T = (bal; || Vote) 
Bi vi’s double encrypted T 


Double-voting resistant: Each eligible voter is entitled 
to only a single vote counted toward the election. While 
submitting multiple votes is permitted, only one vote will be 
counted toward the tallied results as predefined by the election. 

Anonymity: A cast vote cannot be linked to the identity 
of a voter. This protects voters, allowing them to freely voice 
their desired opinions. 

Coercion-resistant: Remote voting may expose voters to 
coercion. If subject to coercion, our goal is to provide voters 
the capability to cast votes as instructed under coercion, whilst 
still protecting their actual votes. 


Voter verifiability: Voters can verify that their votes have 
been cast properly and counted toward the election results. 

Universal verifiability: Anyone can verify that all legiti- 
mate votes have been counted correctly. 

Election result manipulation-resistant: Last-minute vot- 
ers cannot manipulate the election results in a close race. This 
requires concealing all votes until the voting phase is over. 

Network adversary: We assume adversaries are capable 
of monitoring public communication channels and performing 
general network-level attacks. By design, our proposed scheme 
builds on cryptographic operations limiting the impact of net- 
work adversaries to at most DoS attacks since all operations, 
such as ballot acquiring and vote casting, can all be verified 
by the voters. 


V. THE PROPOSED SCHEME 


In this section, we present the sequential phases of our 
proposed d-BAME scheme, each occurring during a specific 
time frame predefined by the election organizers. Let G be 
a publicly chosen multiplicative cyclic group of prime order 
p and g is a generator of G. Table I, presents a summary of 
notations used throughout the paper. 


A. Setup 


The registrar and moderator each generate a key pair. They 
select a secret key £y Er Zs, and £m Er Zp and then compute 
their corresponding public keys as y, = g7” (mod p) and 
Ym = g*™ (mod p), respectively. 


Select Candidates 


M) James Linton 


Stephanie Henry 


O 
 @ Mary Rivera 
O 


Mary Rowen 


Click to Start Encrypt Selection 


(a) application start (b) select/encrypt selected can- 


didates 


Fig. 1: Steps to select the desired candidates 


Protocol 1 Voter Registration 
Input: Public key y; of vi, hash function A. 
Output: Digital Signature EG-Sign,, (yi). 
Setup: (Registrar R) 

1: Randomly select secret key x, €, Z5. 

2: Compute public key as yr = g*” (mod p). 


Registration Request: (Voter v;) 
1: Randomly select secret key x; Er Z5. 
2: Compute public key as y; = g™ (mod p). 
3: Send y; to R. 
Authentication: (Registrar R) If v; is eligible: 
1: Randomly select u; with 1 < uj < p — 1 and gcd(ui, p — 
1)=1. 
2: Compute w; = g”* (mod p). 
3: Compute s; = (h(yi) — v-w;)u; | 
4: Send (wi, si) to vi. 


(mod p). 


B. Voter Registration 


At this phase, voters are required to prove their voting 
eligibility to the registrar by providing evidence such as their 
identities. After validation, voters are added to the electoral 
roll. Protocol 1 summarizes this process. 


1) Voter Key Generation and Registration: Each voter 
vi selects a secret key x; Er Zo and then computes the 
corresponding public key as y; = g** (mod p). Public keys 
are shared with the registrar during registration. 

2) Signing Voter’s Public Key: The registrar verifies the 
eligibility of the voters and signs their public keys. It selects 
u; randomly where 1 < u; < p—1 and gcd(u;, p — 1) = 1 
then computes the following: 


mod p, si = (h(yi) — zrwi)uz ' 


wi =g" modp, (2) 
where (w;, si) is the signature. The registrar adds y; || (wi, s4) 
to the electoral list which it discloses once the registration 
phase is complete. 


2327-4662 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. 


Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 22,2021 at 04:24:28 UTC from IEEE Xplore. Restrictions apply. 


This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2021.3074877, IEEE Internet of 


Things Journal 


C. Acquiring a Ballot 


To cast a vote, each voter must first acquire a digital ballot. 
Protocol 2 summarizes this process. 

1) Ballots Generation: The registrar generates n unique 
digital ballots T = {t; | i € Zn}, such that 


ti = Electionip || Electiontimestamp || Randi, 


where Rand; €, Ze for some integer e that can ensure that 
ballots are unique and not easily forgeable. The registrar 
then digitally signs t; using ElGamal signature scheme. We 
denote the set of digitally signed ballots as B = {bal; = 
ti || EG-Sign(t;) |i € Zn}. Next, it performs a permutation 7 
on B such that: 

t: B- B. 


2) Voter Permutation: The moderator is an intermediary 
that conceals voter identities from the registrar during bal- 
lot distribution. It generates a one time permuted set o of 
{1,2,...,n} such that: 


a: Zn > Zn. 


3) Requesting a Ballot: Voters initiate the request by 
sharing their public keys y; and corresponding signature 
EG-Sign,, (yi) = (wi, s1) with the moderator. 

4) Voter Identity Obscuring: The moderator checks that 
yi exists in the published electoral roll list and validates 
the shared signature (w;, s;) corresponding to y; through the 
following equation: 


Wi 


Yi 


Si 


h(yi) = -w7 


(mod p). (3) 
The moderator can verify that the voter indeed possesses the 
private key associated with the public key in the electoral 
roll through a challenge-response based authentication. The 
moderator can also check other security credentials, such as 
DOB, SSN, driver’s license number, etc., to ensure proper 
voter authentication. In this event, the moderator obscures 
yi by selecting a blind factor b; €, Z and computing the 
following: 


g 


y; = y” =g™*™ (mod p). (4) 


The moderator then sends y; and a(i) to the registrar. 
5) Ballot Assignment and Encryption: Ballots are assigned 
randomly by the registrar to the blinded voters as follows: 


bal; = n(o (i)). (5) 


To conceal bal;, the registrar encrypts it under an encryption 
key k; derived as: 


ki = (y) ” = g7" (mod p), (6) 


where qi Er Zp. Using k;, the registrar encrypts the ballot as 
the following: 


ebal; = AES-Ency, (bal;), (7) 


where AES-Enc is the AES encryption function. The purpose 
of this encryption is to conceal the ballot from the moderator. 
It enables the registrar to share this ballot with the voter 


anonymously. For this purpose, it generates an ephemeral key 
Qi that would allow the voter to regenerate k; such that: 


Q; = g" (mod p). (8) 


Finally, the registrar sends ebal; and Q; to the moderator. 

6) Encrypted Ballot Transmission: Once received, the mod- 
erator sends ebal; and Q; to the voter along with the encryption 
of the blind factor b; as: 


yi) = (G1, C2), (9) 


where rm Er Zp 
7) Deriving Ballot: The voter decrypts eb; and recovers b; 
as: 


bi = ci epit = bicy” o (g. (10) 
Next, the voter regenerates key k; as: 
ki = (Qi)™** = g7 (mod p). (11) 
Finally, the voter decrypts ebal; as: 
bal; = AES-Dec;,, (ebal;), (12) 


where AES-Dec is the AES decryption function. 


D. Casting Votes 


Before casting a vote, voters select the desired candidates 
they wish to vote for. Fig. 1 represents our designed mobile 
application showing candidate selection. Next, the voter pro- 
ceeds with encrypting and casting the vote. 

1) Ballot Double-Encryption: The ballot associated with a 
vote, denoted as B;, is encrypted under the public keys y, and 
Ym Of both the registrar and moderator as: 


B; = (9°, T; r (Yr Ym)”) = (Ci,3; Cid), (13) 


where v € Zi, T; = bal; || vote;, and vote; = 
(cand;,1,cand;,2,...,cand,;,) is a sequence of bits represent- 
ing each candidate such that: 


1, if voting for cand,, 


cand; = (14) 


0, if voting against cand,. 


2) Submit Vote: To submit the encrypted ballot, the voter 
calls the election vote smart contract SCyote that takes B; as 
input. A vote is permanently cast once the result of the smart 
contract is appended to the blockchain. Fig. 2 is a summary 
of the steps performed by the voter to cast the encrypted vote. 
This process involves importing the blockchain account of 
the voter that allows her to call the SCyote deployed over the 
blockchain and integrate the encrypted ballot as input. Once 
the SCvote transaction is appended to the blockchain, the vote 
is cast and the voter receives a confirmation of the vote along 
with the transaction hash reference. The transaction hash is 
used to verify that the cast vote is stored permanently over 
the blockchain. 
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Enter password 
Algorithm: d-BAME 
Key Size: 2048 


Enter mnemonics phrase 


Encryption Time: 8.372516131 


hover enlist session until 
stairs capital clever vacant 
basic mother run chef 


Import your account to connect to the 
blockchain and cast your vote! 


Import Account Connect and Cast Vote 


(a) encryption result (b) import blockchain account 


e-voting 
G ropsten.etherscan io 


< Back 
Transaction Details 


You have successfully cast 
your vote! 


Your transaction hash: 


0x68c000181fe797a5911094aa 
61bfed4661f855fa6160402953 
a49a6a55805411 


Timestamp: 
©51 secs ago (Oct-24-2019 04:03:56 PM 4UTC) 


Verify Vote! 


Value: 
Ether (50.00) 


Decrypt 


‘Transaction Fee: 
0.000058477 Ether ($0.000000) 


(c) block containing cast vote (d) verify vote on blockchain 


Fig. 2: Steps to cast and verify vote 


3) Publishing Requested Ballots: After the casting votes 
phase is complete, the registrar publishes the set of requested 
ballots 6B’ C B to the blockchain bulletin board, discarding 
the ballots that have not been requested by registered voters. 
This prevents the registrar from using any ballots that have 
not been requested or even creating additional ballots that can 
be used to cast unregistered votes and sway an election in 
a specific direction. This allows the moderator to audit the 
correct number of ballots distributed, while provides ballot 
universal verifiability since voters can verify that their received 
ballots are legitimate. 


E. Tabulation 


Votes that appear on the blockchain within the casting votes 
phase are collected to be validated and counted. Both the 
moderator and registrar publicly disclose their secret keys £m 
and xp. The tallying authority decrypts the attached ballots 
appearing on the blockchain as: 


T; = Cia C33 °C, 3” = Ti (Yr Ym)” (g) (g) =, A5) 
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Protocol 2 Ballot Acquisition 


Input: Public key y; and it’s signature (w;, si) of vi. 
Output: Ballot bal; 
Ballot Generation (Registrar R): 
1: Generate random ballots as T = {t; |i € Zn}. 
2: Digitally sign ballots as B = {bal,; = t; || EG-Sign(¢;) | i € 
Zn}. 
3: Perform permutation 7: B > B. 
Voter Permutation (Moderator M): 
1: Generate permutation as 0: Zn > Zn. 
Request Ballot (Voter v;): 
1: Send public key y; and EG-Sign,, (y;) to the moderator. 
Voter Key Validation (Moderator M): 
1: Check 0 < w; < p and 0 < s; < p— 1. 
2: Verifies g9) = y”, ws (mod p). If Valid, T = true; 
otherwise I’ = false. 
If T = true: 
Voter Key Obscuring (Moderator M): 
1: Randomly select b; €, Zp. 
2: Compute y! = y* = gt (mod p). 
3: Send yf to R. 
Ballot Assignment and Encryption (Registrar R): 
1: Select ballot as bal; = q (ø (i)). 
2: Compute key as k; = (y!) = g®®'% (mod p). 
3: Encrypt ballot as ebal; = AES-Ency,, (bal;). 
4: Compute ephemeral key as Q; = g” (mod p). 
5: Send ebal; and Q; to M. 
Ballot Transmission (Moderator M): 
1: Encrypt eb; = (g"™, bi - y;"") = (Ci1, Cia) 
2: Send ebal;, Q;, and eb; to vi. 
Derive Ballot (Voter v;): 
1: Decrypt b; = ci 2: Gai = bi ys + (g). 
2: Compute k; = (Q;)™®: = gt! (mod p). 
3: Decrypt bal; = AES-Dec,,, (ebal; ). 


where T; = bal; || vote;. If bal; € 6’, the tallying authority ex- 
amines the attached vote sequence and increments the counter 
of each candidate accordingly. Each election may specify its 
own rules that disqualify votes which are cast incorrectly. For 
example, voting yes for two opposing candidates. 


VI. SECURITY AND PRIVACY ANALYSIS 


In this section, a formal proof of security and privacy is 
presented. 


A. Double-Voting 


Unlike the conventional elections where eligible voters are 
granted the right to voice their opinion exactly one time, 
there are many possible new security and privacy issues for 
electronic and remote voting. The malicious act of attempting 
to cast more than one vote is referred to as double-voting and 
aims to give an election candidate an advantage in winning the 
election over others. In countries such as the United States, 
while the majority of states prohibit voting twice in the same 
election, only a few of them prohibit voting in more than one 
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state [23]. This means that eligible voters could register in 
more than one state and attempt to double-vote. The process 
of detecting and penalizing such voters becomes expensive 
and challenging. In remote electronic-voting systems, voters 
receive digital ballots and cast their votes remotely rather 
than visiting a polling station. Since our proposed scheme 
uses the blockchain as a bulletin board to permanently store 
votes, it becomes simple to identify double-voting attempts 
that reuse digital ballots. However, the reuse of digital ballots 
is not the only method to attempt double-voting. Adversaries 
may attempt to double-vote by obtaining undeserved voting 
credentials giving them the right to cast more votes. We 
formally prove that an election running d-BAME is secure 
against such attempts. 


Definition 1 (Secure against double-voting). A voting scheme 
is said to be secure against double-voting if no PPT adversary 
is able to forge a digital ballot that is digitally signed by the 
registrar. 


Theorem 1. Jt is infeasible for any adversary to generate a 
legitimate ballot that can be used to cast a vote correctly if 
the DDH assumption holds. 


Proof. Each ballot bal; € B’ is digitally signed by the registrar 
before being distributed among the anonymous voters. For 
the adversary to generate legitimate ballots, it must be able 
to forge a signature of a ballot bal’, = t; || EG-Sign(¢,). This 
requires the adversary to learn the secret key x, of the registrar 
or find collisions such that h(bal;) = h(bal;). Both operations 
can be reduced to the discrete logarithm problem. Therefore, 
it is infeasible for the adversary to generate a signed ballot 
correctly and the proof is complete. 


B. Voter Anonymity 


To preserve the anonymity of voters, an adversary should 
not be able to link any vote to a specific voter. The proposed 
scheme relies on a secure multi-party computation performed 
by parties of different allegiances to address this issue. As 
discussed in Section V-C, it requires a minimum of two 
conflicting parties to participate during the ballot distribution 
process. As demonstrated, a moderator conceals the public key 
yi of the voter using a blind factor f; and associates it with 
a random value selected from the permutation c(i). On the 
other hand, the registrar selects a ballot randomly and assigns 
it to the anonymous voter. The moderator and registrar would 
need to collude for ballots to be linked to the identities of 
voters. We assume collusion is not in the best interest of any 
of these parties, therefore, voter anonymity can be preserved. 
Our proposed scheme is considered to be secure under this 
assumption if (i) the probability of the registrar to identify a 
public key y; that has been randomly selected from a two- 
element public key chosen by the adversary and blinded does 
not significantly exceed $ and (ii) the moderator cannot derive 
an encrypted ballot. Given these stringent conditions, any other 
adversary should not be able to break voter anonymity since 
it is assumed that access to voter identities and/or ballots is 
inadequate in comparison to both the registrar and moderator. 


First, using the Indistinguishability under Chosen-Plaintext 
Attack (IND-CPA) Security Game, we provide a formal se- 
curity proof that the registrar cannot derive a blinded public 
key. We denote the DDH oracle as O; = (BFGen, Blind, Rec), 
where BFGen is the blind factor generation function, Blind is 
the blind function, and Rec is the recovery function. The IND- 
CPA game consists of a set of interactions between two PPT 
machines, an adversary A and a challenger C acting as the 
moderator. 


1) C computes a blind factor f = BFGen(1") and keeps it 
secret. 

2) Since A does not have access to O1, it may request 
that C blinds for it as many public addresses as it likes 
during any time of the game. A then computes two 
public addresses yo and y; to be challenged against and 
sends them to C. 

3) C uniformly and randomly selects  €, {0,1} then 
computes y’ = Blind(f,s,y,), where s represents a 
randomness state to diversify the blind process and is 
a value that has not been used in any of the previously 
computed ciphertexts. Next, C sends y’ to A. 

4) A outputs a guess u’ of u. A wins the security game if 
u’ = u and loses otherwise. 


An adversary that can derive which public key was blinded 
in polynomial time may be able to identify the identities of 
the voters and link them to the ballots being assigned. The 
DDH assumption implies that the adversary is unable to get a 
non-negligible advantage from the IND-CPA Security Game 
in determining the public key that is blinded. 

Second, we prove that the moderator cannot derive an 
encrypted ballot by the registrar. 


Definition 2 (Voter anonymity). A voting scheme is said to 
preserve the anonymity of voters if no PPT adversary is able 
to get a non-negligible advantage in deriving the identity of 
the voter of any cast ballot. 


Theorem 2. The proposed scheme preserves the voter 
anonymity if the DDH assumption holds. 


Proof. We first begin by proving that the registrar cannot 
derive the identity of a voter it has assigned a ballot to. Assume 
there is an adversary that has non-negligible advantage £, then 
Adv. > ste. We construct a simulator .A that can distinguish 
a DDH element from a random element with advantage £. Let 
G be a publicly chosen multiplicative cyclic group of prime 
order p. The DDH challenger begins by selecting the random 
parameters: a,b €, Z5. Let g € G be a generator and Y is 
defined as Y = g*® (mod p) if u = 0, and Y = g° (mod p) 
for some random c €, Zy otherwise, where u €, {0,1}. The 
simulator acts as the challenger in the IND-CPA game. 


1) C chooses a blind factor f €, Z% and state s* €, Z% 
then computes s = s* + ab and keeps them secret. 

2) A chooses two secret keys £o, £1 Er Zo then computes 
their corresponding public addresses yo and yı and sends 
them to C. 

3) C uniformly and randomly selects  €, {0,1} then 
computes y* = Blind( f, s, y4) = yf g° = g?r f gs tab — 
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g%“fg Y (mod p), where Y = g* (mod p). Next, C 
sends y* to A. 
4) A outputs a guess u’ of u. A wins the security game if 
u’ = u and loses otherwise. 
Given A, if Y = g% (mod p), then y* is a valid ciphertext, 
Adv = £ and 
1 
Pr[A (G4 oy = g”) =1] = 5 +€. 
If Y = g° (mod p) or Y Æ g® (mod p) then y* is nothing 
more than a random value to the adversary. Therefore, 


(16) 


1 

Pr[A(9,9°,9°, ¥ =9°) = 1] = 5. 

From equation (16) and equation (17), we can conclude that 
|Pr[A(g,97,9°,¥ =g”) =1]—Pr[A(g,9%,9",Y =9°) =1] | =e. 


The simulator plays the DDH game with a non-negligible 
advantage which contradicts the DDH assumption. Therefore, 
neither the registrar nor any other adversary can get any 
advantage £ to derive the identity of a voter that has been 
assigned a known ballot. 

Concurrently, the moderator has no advantage in deriving 
the assigned ballot it transmits to the voter during the ballot 
transmission process. Each bal; is encrypted by the registrar as 
shown in equation (7) prior to being shared with the moderator. 
The encryption key k; is generated by the registrar based 
on the blinded public key y; and a value q; €r Zp selected 
randomly. This derivation can be reduced to the discrete 
logarithm problem making it infeasible for the moderator or 
any other adversary to derive k; and decrypt ebal;. 

Therefore, our proposed scheme preserves voter anonymity 
against the registrar, moderator, and any other adversary, and 
the proof is complete. 


(17) 


C. Coercion-Resistance and Ballot Unlinkability 


In the proposed scheme, casting a vote traces back to the 
voters encrypting their desired votes as shown in equation (13). 
To prove that the proposed scheme is coercion-resistant, 
we use the IND-CPA game consisting of a DDH oracle 
Oz = (KeyGen, D-Enc, D-Dec), where KeyGen is a public 
key pair generator, D-Enc and D-Dec) are the encryption 
and decryption functions shown in equations (13) and (15) 
respectively. The IND-CPA game is a set of interactions 
between two PPT machines, an adversary A and a challenger 


C. 


1) C computes two pairs of keys KeyGen(1") — (yo, zo) 
and KeyGen(1¥) — (y1, £1) then sends the public keys 
yo and yı to A while keeping xp and xj secret. 

2) A has access to Og and can encrypt as many T = 
bal || vote of its choice. Next, A chooses a Tọ = 
bal || voteo and T; = bal || vote; then sends them to C. 

3) C uniformly and randomly selects u €, {0,1} then 
computes c* = D-Enc(g”, Tu (Yr'Ym)”). Next, C sends 
c* to A. 

4) A outputs a guess yu’ of u. A wins the security game if 
u’ = u and loses otherwise. 


8 


An adversary that can derive which T was encrypted 
efficiently may potentially be able to learn if voters have 
resubmitted their votes under the same ballots. In our proposed 
scheme, only the last cast vote with a legitimate ballot is 
counted towards the election. As a result, the adversary may 
be able to discover whether the coerced voter has behaved as 
instructed. The DDH assumption implies that the adversary is 
unable to get a non-negligible advantage from the IND-CPA 
Security Game in determining the T that was encrypted. 


Definition 3 (Coercion-resistance). A voting scheme is said 
to be coercion-resistant if no PPT adversary is able to get a 
non-negligible advantage by performing the IND-CPA Security 
Game, i.e. Adv = Pr|u' = pi] < 4 +e for any negligible e. 


Theorem 3. The proposed scheme is coercion-resistant if the 
DDH assumption holds. 


Proof. Assume there is an adversary that has non-negligible 
advantage £, i.e., Adv4 > $ +e. We construct a simulator A 
that can distinguish a DDH element from a random element 
with £. Let G be a publicly chosen multiplicative cyclic group 
of prime order p. The DDH challenger begins by selecting the 
random parameters: a,b €; Z5. Let g € G be a generator and 
Y is defined as Y = g? (mod p) if u = 0, and Y = g° 
(mod p) for some random c €, Zy otherwise, where u Er 
{0,1}. The simulator acts as the challenger in the following 
game: 


1) C chooses the parameters xġ, £] €, Zy then computes 
zo = ® +a and x; = x +a. Next, it simulates 
yo = g7? + g*t* (mod p) and yı = g™ + g™it* 
(mod p). Finally, it sends yo and yı to A and keeps x 
and x1 secret. 

2) A chooses chooses a Tọ = bal||voteg and Ti = 
bal || vote; then sends them to the simulator. 

3) C uniformly and randomly selects  €, {0,1} then 
computes c* = D-Ency, (Ty) = (9°, Ty, « (got . 
git) = (9°, Ty + (g% + gt - g?)) = (9°, Th: 
(eR . gmita>)) = (9°, T, -¥ (gPa - g®1)), where 
Y = g? (mod p). Next, C sends c* to A. 

4) If A guesses the correct value, the challenger outputs 0 
to indicate that Y = git” or 1 to indicate that Y = R, 
a random group element in G. 


Given A, if Y = g?*” (mod p), then c* is a valid ciphertext, 
Adv = £ and 


Pr [A (g9, 9°, 9°, yo = 1] = ; +e. (18) 


Y = g° (mod p) or Y Æ block??? (mod p) then y* then 


* 


c* is nothing more than a random value to the adversary. 
Therefore, 


1 
Pr [A (9,9%, 9°, Y = 9°) =1] = 5. (19) 
From equation (18) and equation (19), we can conclude that 
|Pr[A(g,97,9°,¥ =970") =1] —Pr[A(g,9°%,9°,¥ =9°) =1] |=e. 


The simulator plays the DDH game with a non-negligible 
advantage which contradicts the DDH assumption. Therefore 
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the adversary cannot have an advantage £ and the proof is 
complete. 


Corollary 1 (Ballot unlinkability). It is computationally in- 
feasible to link any vote to its voter, or link multiple votes 
cast by one voter (including the ones created for coercion). 


Proof. In Theorem 2 we prove that d-BAME preserves voter 
anonymity. Correspondingly, it is computationally infeasible 
for an adversary to link a ballot to the voter. In Theorem 3 we 
also show that d-BAME is coercion-resistant during the casting 
votes phase. This allows voters to cast their votes multiple 
times in an election having only the predetermined vote as 
described later in Section IX-C counted toward the election 
results. By design and to provide voter verifiability once the 
election results are disclosed, the coercer may learn that the 
voter has not voted as instructed. 


D. Election Results Manipulation 


The proposed scheme utilizes a blockchain as its public 
bulletin board for voters to cast their votes. It is secure against 
election result manipulation if it is run on a blockchain that 
adopts the longest chain rule and the computational power of 
the adversary in the blockchain network is no more than 50%. 
Voters interact with a voting smart contract that accepts a vote 
in the form shown by equation (13) as input. At the end of 
the voting phase, the tallying authorities scan the blockchain 
logs to collect all votes that have been cast during the voting 
phase. Votes that pass the validation are counted towards the 
election results while those that fail are discarded. Valid votes 
are posted to the blockchain along with their corresponding 
ballots to announce election results and allow voter validation. 
Voters can individually recognize that their votes have been 
counted correctly towards the final election results. 

Before casting their votes to the blockchain, voters are 
required to encrypt their votes under public keys of both 
the registrar and moderator. This encryption acts as a secure 
envelope as it conceals the actual vote during the voting 
phase. It ensures that all encrypted votes can only be opened 
through decryption when both parties disclose their private 
keys. Ballots associated with votes are checked against the 
published $’ in the blockchain. Votes with legitimate ballots 
are accepted or rejected otherwise, making this process similar 
to the signature verification on mail-in ballots in the US 
general election. 


VII. PERFORMANCE EVALUATION 


In this section, we present a performance evaluation for d- 
BAME and compare it with two blockchain-based schemes 
presented in [14] and [15]. In comparison to our work, 
both schemes perform some cryptographic operations in their 
deployed election smart contracts. Therefore, d-BAME can 
achieve a significant performance advantage and is more 
suitable for mobile e-voting. 


A. Computational Costs 


We formulate the computational costs of each voting stage 
for the three schemes based on the number of multiplication 


(M) and exponentiation (E) operations. Table II summarizes 
the number of these two operations for each scheme. 

1) Setup: In [14], the setup consists of an admin that 
authenticates voters with their Ethereum user-controlled ac- 
counts then updates a whitelist of voters to include all eligible 
voters. However, the paper did not discuss any cryptographic 
operations in the authentication process. We assume that the 
setup for this scheme does not require any M or E operations. 

On the contrary, [15] requires cryptographic primitives 
like Paillier encryptions, proof-of-knowledge (PoK), and 
Short Linkable Ring Signatures (SLRSs) computed over the 
blockchain platform. 

In comparison to both schemes, d-BAME requires the 
moderator and registrar to generate their public key pairs, 
Ym and yr, that are used during the entire election process, 
imposing a single E operation for each. 

2) Voter Registration: At the voter registration stage, [14] 
requires each voter to generate a key pair at a cost of one 
E operation. Voters must also generate a non-interactive Zero 
Knowledge Proof ZKP (x;) to prove knowledge of their secret 
key sk;. Specifically, it uses a Schnorr proof [24] made non- 
interactive using the Fiat-Shamir heuristic [25], resulting in an 
additional M and E operation. Once derived, voters broadcast 
pki and ZKP(«;) through the specified election smart contract. 

In [15], voter registration requires interaction between the 
voters and an election smart contract. Initially, eligible voters 
obtain the SLRS parameters generated during the setup phase 
and generate their SLRS key pairs. Voters then send their 
public keys to the blockchain through the smart contract to 
verify their signature. 

In comparison, d-BAME relies on a registrar to facilitate 
voter registration. Voters begin by generating their key pairs 
(ski, pki). After verifying the eligibility of voters, the registrar 
signs their public keys and adds them to the electoral roll. 
The total signatures for registering all voters are 2nM and nE 
operation. 

3) Acquiring Ballots: To acquire a ballot, [14] initially 
requires the election smart contract to verify all n received 
ZKP(a;). A single verification costs one M and 2E operations. 
Next, the smart contract generates all n digital ballots, where 
a single ballot generation requires a total of nM operations. 
Voters acquire their corresponding generated ballots and use 
them in the next stage during vote casting. 

In [15], voters are not required to perform any computations 
to acquire a digital ballot. Instead, they can immediately cast 
their votes once registration is complete. 

In comparison to both schemes, d-BAME involves voter 
engagement with the moderator and registrar. Initially, the 
registrar generates the set of random and digitally signed 
ballots. Next, the voters interact with the moderator, who 
obscures their identities from the registrar while facilitating 
ballot distribution. The total operations performed by a voter, 
the moderator, and the registrar are 2M+2E, 2nM-+6nE, and 
2nE operations, respectively. 

4) Casting Vote: To cast a vote, [14] requires each voter 
to perform one M and 2E operations. Each voter must also 
generate another ZKP (x;) to prove that they have voted either 
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TABLE II: Performance Comparison. 


Setup Voter Reg. Acquiring Ballots Casting Votes Tabulation 

Scheme [14] [15] [d-BAME| [14] | [15] |d-BAME] [14] | [15] |d-BAME] [14] [15] d-BAME] [14]] [15] |[d-BAME 
Operation MJEIM| E IM] E /M/JE/MjJE]M] E |M|E/MJE]M]E /MJE M E M | E |M]EIM| E |M] E 
Voter 0/0] 0 0 [0] 0 )1/2)1];1] O| 1 [O07] 07] nf] 2 | 2 [2|3|2(mH)[3m+b+9| 2 |2 [ojojo 0 | 07 0 
Moderator n/a | 2 0 O | 1 fna/0|0 0 | 0 n/a | n/a | 2n | 6n | n/a 0 0 0 | O | n/a J10} 5 0] 0 
Registrar n/a [5+K(1+2K| O0 | 1 | n/a |0]O|2n| n | n/a | n/a} O | 2n] n/a 0 0 0 | O | n/a n/a 0] 0 
Tallying Authority| n/a n/a 0 n/a | na|] 0] 0 n/a | n/a] 0O | O | na n/a 0 | 0 | n/a n/a 2n | 2n 
Smart Contract [0/0] 0 0 | 07 0 [0)0/0jn} 0 | 0 [2n]j2nj n/a} 0 | 0 Jojo] n+) 5n 0 | 0 |nj0|1 [3m 0 | 0 


yes or no. The generated ZKP(x;) requires an additional M 
and E operation. 

In [15], voters can vote for multiple candidates. The se- 
lected candidates are encrypted using Paillier homomorphic 
encryption, which is about 4 times slower than the ElGamal 
encryption since its operational parameters are twice of the 
size of the ElGamal scheme. The voters then compute a PoK 
to prove that they correctly encrypt a candidate and send 
their encryption and derived PoKs to the smart contract for 
verification. If valid, the smart contract signs the result and 
returns it to the voter. Upon receiving it, voters validate the 
signature and generate SLRS over the result to finalize their 
votes and cast it to the blockchain. Next, they generate a 
PoK for their signatures and send it to the smart contract for 
verification. 

In comparison, d-BAME requires a voter to double encrypt 
bal; using ElGamal encryption and attach it to the vote; where, 
vote; is a sequence of bits representing each candidate, 1 if 
voting for cand, and 0 if not voting for cand,. The total 
operations performed by a voter include 2M and 2E operations. 

5) Tabulation: In [14], tabulation requires verifying each 
ZKP(;) submitted the voters, imposing one M and 2E oper- 
ations per verification. Next, the tally is computed requiring 
nM operations. 

In [15], the election smart contract first adds all published 
and encrypted votes then signs the result and sends it to the 
admin. The admin verifies the signature and decrypts the sum 
using homomorphic decryption. The admin must also decrypt 
and verify the correctness of the PoK and sends the results 
back to the smart contract. The smart contract finally verifies 
the correctness of the information sent. 

In comparison to both schemes, for d-BAME, the tallying 
authority is required to double decrypt each existing vote 
using the revealed moderator and registrar private keys, £m 
and x,. This imposes a computational cost of 2nM and 2nE 
operations. 


B. Scalability 


Ethereum 1.0 blockchain is based on the Proof-of-Work 
(PoW) consensus mechanism, limited to approximately 15 
transactions per seconds. More recently, Ethereum 2.0 has 
launched utilizing the Proof-of-Stake (PoS) consensus mecha- 
nism, promising up to 100,000 transactions per second in two 
years [26]. Running an election for the approximately 150 
million Americans that voted in the 2020 U.S. presidential 
election utilizing d-BAME over the Ethereum 2.0 will suffice 
to complete the casting votes phase in approximately 25 
minutes. Our recommendation to utilize Ethereum blockchain 


is solely based on its wide popularity and adoption. It may not 
guarantee the best performance or cost efficiency. In fact as 
the blockchain research continues to grow, other blockchains 
may emerge to be more scalable and cost efficient. 


VIII. EMPIRICAL RESULTS 


In this section, we present our empirical results of various 
simulations of d-BAME. We implement two versions of d- 
BAME, a desktop application, and a smartphone application. 
The desktop application is implemented using Maple v16 and 
we simulate it on a MacBook Air running OS X 10.13.6 
equipped with 2 cores, 1.8 GHz Intel Core i5, and 8 GB 
1600 MHz DDR3. The smartphone application is developed 
over Xcode version 11.2.1 and is written in Swift 5. We use 
the BigInt library! to perform large number cryptographic 
computations. Our smartphone simulations are performed over 
an iPhone XR running iOS 13.2.2 equipped with the Apple 
A12 Bionic, a 64-bit ARMv8.3-A six-core CPU, with two 
cores running at 2.49 GHz. 

Both applications interact with our Solidity-based smart 
contract that we deploy over the Ethereum Ropsten testnet 
blockchain to cast the encrypted votes at the end of the voting 
stage. The main inputs to the smart contract are the two 
encrypted vote components, B; = (cj,3, ci,4), as depicted in 
equation (13). For our desktop application, we utilize Meta- 
Mask’, a browser plug-in that allows voters to manage their 
Ethereum wallets and call our deployed smart contract to cast 
their votes. For our smartphone application, we incorporate 
the web3swift library? into our code to provide the voters with 
the same functionality to cast their votes using their mobile 
devices. We note that the performance relies on the selection 
of software packages. Our selection does not guarantee the 
best performance. Instead, it shows that d-BAME is suitable 
for large-scale elections. 

For an election, d-BAME is run by each voter on either 
a desktop or mobile device. After vote casting is complete, 
tabulating the votes is a job performed by the tallying au- 
thority, which is generally performed offline using powerful 
computers. Therefore, we assume that all stages are performed 
over a mobile device while tabulation is performed by anyone 
that has access to a desktop machine. In comparison to other 
schemes, d-BAME is the only scheme that allows voters to 
generate the election results themselves if they wish and can 
afford the required computational requirements. 


"https://github.com/attaswift/BigInt 
?https://github.com/MetaMask/metamask-extension 
3https://github.com/matter-labs/web3swift 


2327-4662 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www. ieee.org/publications_standards/publications/rights/index.html for more information. 


Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 22,2021 at 04:24:28 UTC from IEEE Xplore. Restrictions apply. 


This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2021.3074877, IEEE Internet of 


Things Journal 


11 


5507--- °°: ek steemEaeg a AP ERREaEENEHaait p 


— Smartphone run time 
— — Exponential function 


01257-0007 iat E P i 0g piiereeeressa 
0.100} -++i S E 
5 : | — Computer runtime | : : g 
ES : == Exponential function 40) RA AEE FE PNE 
E 00754 ierre rohrrernreehen Be E 
8 z 
5 Fd a 
` $i H 
‘g 0.0507- stieteartaes S APS TER ASS & 
£ : : PP ee 
= | : -£ 
Cr) E RE ee ores 


Smartphone/Computer run time ratio 


+ + + t + H 300l rere ree OROT EERE UE aes OF 
1000 2000 3000 4000 1000 2000 3000 4000 1000 2000 3000 4000 
keysize keysize keysize 
(a) (b) (c) 


Fig. 3: Time comparison for various key sizes: (a) in computer, (b) in smartphone, (c) smartphone/computer. 


Therefore, we focus our analysis on investigating the dif- 
ferent time costs for casting a vote for both a computer and a 
smartphone. Specifically, we measure the time costs to perform 
the double encryption computation presented in equation (13). 
Fig. 3 shows the time costs we obtain under eight different 
encryption key sizes. The presented time costs are the average 
time costs of ten different trials for each key size. 


Based on our results, we come to various conclusions. 
Fig. 3(a) shows that with maximized security at a key size 
of 4096 bits, voters can cast their votes in approximately 0.11 
seconds using a desktop. Correspondingly, Fig. 3(b) shows 
that to maintain the same level of security while running d- 
BAME over a smartphone, it would take less than a minute to 
cast a vote. In both cases, the time increases exponentially 
with the increasing of key sizes. Today, in practice, key 
sizes of 2048 bits are generally considered secure, hence, 
casting a vote through a mobile device may even be reduced 
to approximately 8.36 seconds. The difference between the 
time costs and of running d-BAME over a desktop and a 
smartphone is evident because of the processor capabilities 
we describe above. Desktop machines are generally built with 
more powerful processors giving them a conspicuous advan- 
tage over smartphones. However, the purpose of this analysis 
is to prove that even with this advantage, it is still feasible 
to run d-BAME over a smartphone and achieve acceptable 
results. 


To further analyze our findings, we also measure the smart- 
phone to desktop time cost ratio and observe its change as 
we increase the key size. Fig. 3(c) presents these results 
showing that as the key size increases, the ratio increases 
logarithmically. This suggests that, beyond a certain key size, 
the advantage of running d-BAME over a desktop versus 
running it over a smartphone decays as the keys grow in size. 
For example, as shown in Fig. 3(c), the smartphone/desktop 
ratio at the key size of 2048 bits is 466 and increases to 
478 with the key size of 2560 bits, showing a 2.5% increase. 
This increase is smaller when compared to the ratio increase 
between the key size of 1536 bits, where the ratio is 444, and 
that at the key size of 2048 bits, showing an increase of 5%. 
This pattern can be observed between all key sizes shown in 
the figure. 


IX. DESIGN TRADE-OFFS 


In this section, various implementation trade-offs are dis- 
cussed. These trade-offs enable elections to adjust to different 
d-BAME implementations based on the required design goals. 


A. Universal Verifiability vs. Coercion-Resistance 


In traditional paper ballot-based voting systems, voters cast 
their votes in a physically isolated environment without facing 
interference from coercers throughout the election process. 
However, universal verifiability is limited to monitoring ballots 
as they are counted which is prone to significant error. Even 
when utilizing on-site computerized voting machines to pro- 
vide features such as voter and universal verifiability, voters 
must trust that these machines are secure, privacy-preserving, 
and software independent, which means that an undetected 
change or error in its software cannot cause an undetectable 
change or error in an election outcome [27]. 

On the contrary, in mobile e-voting systems, voting is 
performed remotely by the voters via their personal devices 
such as desktops or mobile devices, allowing features such 
as voter and universal verifiability features to be more easily 
implemented. Assuming the devices are secure, voters need 
just to trust that the installed voting software is legitimate. 
However, with mobile e-voting, the coercers may be able to 
interfere with any phase of the voting process. To address 
this concern, a stronger form of private voting known as 
coercion-resistance emerged [6]. A coercion-resistant voting 
system is one that accounts for coercers that can engage with 
voters while they cast their votes remotely during an election. 
Engagement may be in the form of a coercer forcing voters 
to cast their votes in a specific form or even forcing them 
to divulge their voting credentials by easily blackmailing the 
voters. Other engagements may even include coercers willing 
to peacefully buy votes from the voters. 

In Section V, we showed how two conflicting parties 
facilitate the anonymous distribution of our uniquely generated 
ballots. Under this assumption, it is not in any interest of 
either party to share any information during ballot distribution, 
thus, the identities of voters and their anonymously assigned 
ballots remain concealed. Consequently, voter verifiability is 
achieved since voters can recognize their ballots. While the 
uniqueness of the ballots ensures voter verifiability, it also 
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gives rise to the coercion problem. Coercers that can get access 
to the ballots of voters will also be able to learn if these 
voters have behaved as instructed once the election results 
are finalized and disclosed, i.e. weak coercion-resistance. This 
results in a clear conflict between the universal verifiability and 
coercion-resistance features. Our proposed work is designed to 
achieve a trade-off between these two characteristics, allowing 
an election to favor one over the other. 

a) Voter and Universal Verifiability: In the case that 
universal verifiability is preferred, at the end of the tabula- 
tion phase, the registrar and moderator both disclose their 
private keys and the tallying authority publishes the results 
of the election on the blockchain, which allows all voters 
to verify that their votes have been counted properly toward 
the election. Alternatively, votes can be published along with 
their corresponding ballots over the blockchain as a proof 
of the legitimacy of the election results. Any individual can 
validate that all votes have been cast and counted properly. 
This design also prevents the registrar from attempting to issue 
unassigned ballots to voters in favor of a particular candidate. 
In this setting, the proposed scheme provides weak coercion- 
resistance. Once the election results are disclosed, the coercers 
would be able to find out whether the coerced votes are being 
counted toward the election. 

b) Strong Coercion-Resistance: A practical coercion- 
resistant voting system should be receipt-free, allowing voters 
to evade proving to their coercers how they voted. This 
property requires a voting system to be designed in a way 
so that it does not generate any legitimate evidence that may 
leak information about the votes. By design, our proposed 
scheme requires voters to encrypt their votes as shown in 
Equation (13). This can be viewed as a receipt and may 
allow information to be leaked on how voters have voted. 
Therefore, if strong coercion-resistance is required, ballot 
verification can be delegated to just the registrar and the 
moderator. The registrar and the moderator jointly decrypt 
and publish the results excluding the ballots. Given that the 
registrar and the moderator are unlikely to collude and that 
their verifications must match, voters can trust that the election 
result integrity is maintained. However, this limits voter and 
universal verifiability. 


B. Receipt-Freeness 


Our proposed scheme may be modified to offer receipt- 
freeness at an additional computational cost. Once a vote is 
cast as described in equation (13), the moderator can decrypt 
then re-encrypt it as follows: 


B; = (ci,39", 4c, 37 Yp =" ™, Tayk™)=(e9 Ga)» (20) 


where u Er Zi. This method conceals the ballots of voters 
preventing them from identifying them during the vote casting 
phase. Simultaneously, once tallying is performed and the 
election results are disclosed, voter and universal verifiability 
can still be performed since ballots are unconcealed. 


C. Counting First Ballot vs. n‘” Ballot 


In our proposed scheme, voters receive unique digital ballots 
which they use to cast their votes to the blockchain. This 
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design grants voters the ability to cast their votes multiple 
times while identifying those trying to double vote. As a result, 
only one cast vote corresponding to each legitimate voter is 
counted toward the final election results. This feature allows 
elections to specify different policies on which vote to be 
counted based on the election needs/circumstances. Therefore 
it becomes a trade-off between selecting the first ballot vs. 
nt” ballot. Elections favoring counting the first vote may be 
more prone to coercion. It becomes more difficult for coercers 
to monitor and detect how voters have voted since they must 
be physically present in a timely manner among the voters to 
force them to give up their credentials. In large-scale elections, 
this becomes infeasible due to the geographical distribution of 
voters. Thus, the overall effect of coercing voters to manipulate 
the election results becomes insignificant. On the other hand, 
other elections may favor counting the nt” cast ballot. This 
method may be advantageous to elections that prefer allowing 
their voters to change their minds and re-cast their votes. 
However, with this extended time, coercers may have more 
time approaching a larger number of voters. In fact, elections 
that favor counting the last cast vote may be problematic in 
large-scale elections. Coercers that are able to obtain voters’ 
credentials may wait until the last minute to cast all votes 
and manipulate the election results. Therefore, choosing this 
method may be more reasonable for small-scale elections with 
less possibility of coercion. 


X. CONCLUSION 


In this paper, we proposed d-BAME, a novel blockchain- 
based and remote electronic voting scheme. The proposed 
scheme is designed to run large-scale elections and aims at 
improving voter turnout. Our security and privacy analyses 
show that d-BAME is secure, preserves voter privacy, protects 
voters against coercers, and maintains the integrity of election 
results. In our performance analysis, we compare the com- 
putational complexity of d-BAME to two schemes and show 
that d-BAME is more appropriate for large-scale elections. 
Finally, in our empirical results, we present the results of 
running various simulations for d-BAME over both a desktop 
machine and a smartphone. Our results show that it is feasible 
to run d-BAME over a mobile device, hence improving the 
accessibility of elections. 
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